Thursday, 31 July 2014

Lauded for his outstanding
service to the country as the Ministry of Justice’s lead negotiator, overseeing
the negotiations on the European Commission’s data protection proposals, John
has left the MoJ and the Civil Service. His departure will leave a huge gap
which, at this delicate stage in the DAPIX data protection discussions, will be
extraordinarily difficult to fill.

John was appointedHead of EU and International Data
Protection Policy at the MoJ in November 2011. He had completed a review of
Claims Management Regulation, and previously led MoJ’s engagement with Muslim
communities on raising awareness of domestic and matrimonial law. He also
headed the UK delegation to the 2011 Special Commission on the practical
application of the Hague Conventions on international child abduction. So his has
a huge range of experience that I’m sure most organisations would do anything
to take advantage of.

All
eyes will be focused on his LinkedIn account for the official announcement of
his next role.I’m
sure I join many UK data protection professionals in wishing John the very best for the future.

Wednesday, 30 July 2014

Last Monday, some
prominent European data protection commentators, each with links deep within European
Commission institutions, predicted that we would see fewer EU officials
travelling to the UK to discuss and negotiate EU positions in future.

Why?

Because,
increasingly, the UK is judged as “a lost cause”.

Monday’s
workshop on the Data Retention and investigatory Powers Act, held at the Free
Word Centre in Central London, with proceedings conducted (mostly) under
Chatham House rules, was attended by a fair smattering of the UK’s data
protection finest academics, practitioners and campaigners, together with some
of the greatest of the good of the land.

While the
focus of the meeting was on what ought to happen next in light of the speedy
passage of DRIP through Parliament, and what preparations needed to be made to
facilitate a more fundamental review of the Regulation of Investigatory Powers
Act, 2000, a number of key observations were made which illustrate just how significantly
the tectonic plates which frame the relationship between the UK and the
European Union are shifting.

From a data
protection perspective, this shift has some key implications.

Most
importantly, the debate within the UK as to whether the new legal instrument
setting out new data protection rules should be cast as a Regulation or a
Directive becomes less significant.

Why?

Because by
the time the deadline arrives for the new legal instrument to be implemented by
EU Member States, the UK needs to plan for the possibility that it won’t be an EU
Member State any more. In light of the “in-out EU referendum”, whenever that is
held, some very smart minds now need to plan for the contingency that the UK
will have cast itself away from the EU, and will therefore expect to be treated
as a non-EU country with “adequate” data protection safeguards. Just like
Andorra, Argentina, Guernsey, the Faroe Islands, the Isle of Man, Israel,
Jersey, Uruguay and Israel – to mention but a few.

In this
scenario, the UK’s revisions to the current 1988 Data Protection Act need not
be as radical and as dogmatic as the changes that might be imposed on the data
controllers situated elsewhere in the EU. The UK could even keep its DPA
registration fee – which might well come as a relief to the MoJ bods currently
struggling with the task of inventing a scheme similar to (but not called the
same as) the current ICO funding process. This will allow data controllers,
rather than public funds, to continue to meet the lion’s share of the ICO’s
budget.

In this
scenario, the UK won’t need to adopt all of the provisions in a Regulation to
be accepted as having “adequate” data protection arrangements. Remember, after
all, what the Article 29 Working Party had to say about the Faroe Islands back
in 2007:

“While
Faeroese law may not meet every requirement imposed upon the Member States by
the Data Protection Directive, the Working Party is aware that adequacy does
not mean complete equivalence with the level of protection set by the
Directive. Thus, on the basis of the above mentioned findings, and the
additional information given by the Faroe Islands, the Working Party concludes
that the Faroe Islands ensure an adequate level of protection within the
meaning of Article 25(6) of Directive 95/46/EC of the European Parliament and
of the Council of 24 October 1995 on the protection of individuals with regard
to the processing of personal data and on the free movement of such data.”

Another
really significant insight from the workshop came from someone who suggested
that a huge amount of the blame for the UK needing to pass its emergency DRIP
legislation actually lay at the door of the Irish Government.

Why?

Because had
the Irish Government not have so spectacularly delayed the proceedings (it
really not have needed to have taken some 7 years for the relevant cases to
have been heard by the European Court of Justice), the legal arguments would
have been assessed by judges in a “pre-Snowden” climate, where public
“interest” (and press “outrage”) at the alleged activities of various national
security agencies would have registered at a much lower level.

The Irish
Government originally opposed the data retention proposals as it wanted
communications data to be retained for 3 years, rather than the maximum of 2
years that was eventually agreed. So, it
is ironic that much of the credit for striking down the Data Retention Directive
has been taken by an Irish digital rights organisation.

The topic of
drafting fresh EU-wide communications data retention legislation for law
enforcement purposes seems currently far too toxic for the policymakers of EU
Member States and for EU officials to want to visit again.

Before they
do, they will need to possess more credible sets of cojones.

Tuesday, 22 July 2014

Given the
events of last week, it hasn’t been long before various wags have been
comparing the passage of the Data Retention and Investigatory Powers Act
through Parliament with another example of hasty legislation, the Dangerous
Dogs Act.

A few are
already calling DRIP the ‘Dangerous Logs Act’ – but I think that’s wrong.

Having been
(slightly) involved in the discussions that led to the drafting of the DDA,
almost exactly 23 years ago, (I was the Association of British Insurers’
Legislation Manager at the time) I thought I should explain why.

The
Dangerous Dogs legislation was prepared in great haste during the early part of
the summer of 1991, following a spate of dog attacks on young children. The
ensuing media commotion and the cry that“something should be done” led to Parliamentary draftsmen being given
almost no notice with which to create a legal instrument that would have the
effect of assuring the public that sufficient was being done before Parliament
rose for its summer holidays. With minimal debate, a short (10 clause) bill was
rushed through both Houses of Parliament, and it received Royal Assent on 25
July 1991.

Significantly,
the DDA sought to cover four types of dog, and cross breeds of these types. The
were the pit bull terrier, the Japanese tosa, dogo argentina and fila
Brasiliero. The problem, in classifying the prohibited animals by “type” rather
than breed label caused huge problems. No-one had thought about whether,
on the face of the bill, there should be a provision to set out who had
sufficient expertise to assess whether an animal that was brought before them
actually had the relevant offending physical characteristics. So chaos ensued as the initial attempts were made by courts to decide which animals should be put
down, and which owners should be prosecuted for acting unlawfully.

The RSPCA criticised the act as like using “a
sledgehammer to crack a nut,” and argued that it was wrong to criminalise
individual breeds of dog: “Demonising individual breeds does not achieve
anything as all breeds can attack people, just as all breeds can produce wonderful
dogs.”

In
hindsight, this was rushed legislation which was an overreaction to a transient
public mood.

Now, lets
turn to recent events.

The Data
Retention and Investigatory Powers Act was prepared in less haste during the
early part of 2014, following an adverse judgment in cases heard by the
European Court of Justice, which declared the Data Retention Directive (2006/24/EC)
invalid. This was the legislation that provided the statutory underpinning for the data retention obligations that had been imposed on European
telecommunications service providers. It became necessary to ensure that the UK
providers could have a degree of legal certainty as to what records should be
kept and for how long, in order that they could be subsequently made available
to law enforcement investigators (when it was necessary and proportionate for
them to demand it).

Accordingly,
Parliamentary draftsmen created a legal instrument that would have the effect
of assuring providers that sufficient was being done before Parliament rose for
its summer holidays. With minimal debate, a short (eventually 8 clause) bill
was rushed through both Houses of Parliament, and it received Royal Assent on
17 July 2014.

Significantly, DRIP was designed as a short-term measure that would offer some immediate
protection to providers, while at the same time enabling Parliament to embark
on a longer-term review of the issue of how communications data is used for law
enforcement purposes. The longer-term nature of the review means that the major
decisions will be made by the Government that is to be formed after the next general
election.

Accordingly,
this controversial issue has been “parked” by politicians who currently have at
least one eye on forthcoming election. Whatever proposals are to emerge from
their review of the current legislation will generate a huge degree of media attention. But no political
party wants to deal with potentially divisive issues (particularly when
elements of the media hold entrenched positions that don’t accord with Home
Office views), when their main aim is appearing united and focused on what will
really inspire an electorate.

Unlike the
DDA, I really don’t think that, in hindsight, commentators will view DRIP as an
overreaction to a transient public mood.

Sunday, 13 July 2014

Bearing in mind the audit points that the ICO auditors tend
to raise when they visit an organisation, what issues should you focus on,
bearing in mind that businesses have many things to worry about, in addition to
worrying about not getting on the wrong side of the regulator?

And, just as importantly, how much is the busy data
protection professional prepared to pay to get a set of decent audit questions?

Well, if you are
prepared to pay as little as £5.99 to learn more about my audit methodology,
then read on.

I’ve just
published a short guide for the busy data protection professional who needs to
ensure that their organisation operates practices and procedures which meet their
legal obligations. People who follow the advice in this guide will
significantly improve the likelihood that, should their organisation be
examined, the ICO will determine that there is a high level of assurance that
effective controls are in place.

Data protection professional, beware - this is
not a book designed for people who are obsessed with complying with absolutely
every aspect of data protection law. Some may think that I've set the bar far
too low in terms of what needs to be done do demonstrate that organisations
take data protection issues sufficiently seriously.

Please, reader, please feel free to part with
£5.99 of your own money and decide for yourself as to how robust my audit
methodology is. If you have, and can also monitor, the controls that I've
outlined in my guide, then as far as I’m concerned, you're well on the way to
data protection nirvana.

I’m always open
to suggestions proposals about publishing this methodology in an alternative
format. I’m embarking on the digital format first.Once I’ve learnt whether others are just as
excited about it as I, and my clients who have submitted themselves to this
audit methodology, am, then I’ll consider revising it and publishing it as a
paperback, too.

About Me

I'm Martin Hoskins, and I started this blog to offer somewhat of an irreverent approach to data protection issues. As time has passed, the tone of my posts have become more serious.
I'm not a "high priest" of data protection. I focus on the principles of transparency, fairness, practicality, risk-assessment and pragmatism when dealing with issues, rather than applying every aspect of every data protection rule.
While I may occasionally appear to criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity, so these comments should never be taken to represent anyone else's views on what I write about.
I occasionally tweet as @DataProtector.
You can contact me at:
info@martinhoskins.com.